The iTunes Hack Attack, Hiding in Plain Sight

Generally, we’re pretty tuned in to events happening in the retail world. But once in a while, we find out we’ve been completely blind to something until it hits us directly. So it has been with what appears to be a massive and ongoing security breach in the iTunes store. Coupling this incident with the recent announcement by Walmart and Target that they are joining with roughly a two dozen other retailers to develop a mobile payment system has led me to write a piece that picks up where partner Nikki Baird’s piece leaves off. My short message is “Kids, don’t try this at home. Make sure something happens, but leave payment processing to the pros.”

I know the scent of a $660 billion market is intoxicating to retailers, and the notion of recouping just a single point ($6.6 billion) is nothing short of ambrosia, but there’s a whole lotta grief waiting to happen. And stellar reputations are at risk.

First, my iTunes hack story, which should help illustrate the point. I was at a party the first weekend in March and went to my iPhone to look something up. I discovered a new app had arrived on my phone that looked like the photo below.

Clearly this is not something I would buy. So I showed it around, laughed, took a picture of my screen and deleted the app. When I arrived home I discovered an email from Apple, letting me know my iTunes account had been accessed from a device in China. The exact message I received was “Your Apple ID, (my email), was just used to download QQ欢乐王国 from the App Store on a computer or device that had not previously been associated with that Apple ID.” Ya think?

I had to change my password to one that Apple decided was stronger, and then find all the #$#$ devices and programs that are using that ID on my phone, computer and who-all-knows-where else. But then I decided to find out if I was the only one with this problem.

That’s when I found out that a) this has been going on since 2010, b) it has affected hundreds if not thousands of people and c) there have been sporadic reports in the media about the problem and d) Apple has not been responding in a customer-friendly manner at all.

Click on this link. As of this writing there are 1,352 comments and (wait for it) 199,348 views in just one forum alone. And I write in advance of our publication date. I posted a “Yeah, me too” comment. Now I’m subscribed, and my inbox is literally inundated with new posts from just this one forum all day long.

It turns out I was one of the lucky ones. The charges never even made it to PayPal (no…I don’t give credit card info to Apple), and I was clean. People with gift cards weren’t so lucky. Their card balances were wiped out, and in some cases re-instated and THEN wiped out by Apple again because they’d been compromised.

Here are some more things I learned on those forums. 1) This hack has nothing to do with any user-owned devices. It’s all about the Apple servers. 2) Since Apple is adamant that it encrypts its data, someone obviously has at least some pieces of that encryption key. That’s why the new passwords required are far more stringent than older ones. 3) Apple’s iTunes Terms of Service (TOS) explicitly states that it’s not responsible for losses. The exact verbiage is: “As a registered user of the iTunes Service, you may establish an account (“Account”). Don’t reveal your Account information to anyone else. You are solely responsible for maintaining the confidentiality and security of your Account and for all activities that occur on or through your Account, and you agree to immediately notify Apple of any security breach of your Account. Apple shall not be responsible for any losses arising out of the unauthorized use of your Account.” Whoa. What if I had nothing to do with those losses?

I wrote to ask my favorite Mac fanatic if she’d heard anything about it. She reported no chatter in the Apple developer community. But she did send me this link, dated March 6, announcing that Apple has won a patent for its own Near Field Communications Chip, called iWallet, or as Apple calls it “The one that will rule the world. Really? Not with those TOS it won’t. And if the encryption algorithm is vulnerable, why do we think the NFC chip is going to be any less vulnerable? I can envision foil-lined wallets as the new craze, and foil-lined phone cases as the next great fashion accessory.

The bottom line? I want to deliver two messages to you, our readers. First to you as individuals: it’s time to change your iTunes passwords to something stronger. Apple will let you know when you’ve got one that it believes is good enough. Second, to the retailer in us all: Maybe we shouldn’t quit our day jobs.

We’re really good at buying and selling stuff, and building brands. But if Apple, with its billions in cash, Linux OS, and world-wide R&D can be hacked, so can we. Wasn’t PCI painful enough? How do you place a monetary value on the good will lost to thousands of customers? People are looking for an escape route out of iTunes and anything that requires handing over a credit card to Apple. Is it a vocal minority? I’d say yes, except the hacks keep on coming. I’m not sure the problem has been resolved at all. So I have no idea how long this will go on.

We have enough trouble predicting demand and managing erratic commodity prices and retail price transparency. Do we really all want to be telecomm providers and banks too? I don’t think so. That’s why I say, “Kids… don’t try this at home.” We’re in a pretty good situation with regard to data theft, at least in the US. The TJX data breach and the ones that followed taught us that customers are forgiving as long as it doesn’t cost them any money. It’s annoying to get new credit cards, but nowhere near as annoying as having your gift card account wiped out.

So think of this as a cautionary tale. We’re not software developers, banks, or credit card processors. We’re retailers. And it might be a good idea to stick to our knitting.

One last thing: I am still an iTunes user, and still like most of my Apple-made computers and devices, but this has been so badly handled that I’m shocked. Shouldn’t we have all been asked to change our passwords proactively? It’s a bit like the famous Steve Jobs Reality Distortion Field at work: just assume it’s not real that it will go away. Guys, it won’t.